Leopard and NIS and C2 Security

With NIS, one suggestion for improving security is to move to NIS plus.
At this point we're much more likely to go to LDAP than NIS plus, because
NIS plus was never that successful, and viewed as a pain to set up.
LDAP doesn't
solve many more problems for us (no PCs to deal with), but everybody's
doing it.

But until then, we still have NIS, and we want to hide our passwords
from our users, and the odd hacker that breaks through our defenses.
So, on the suns you can turn on C2 security, and use shadow passwords.

The way this works within NIS is that there's a map called "passwd.adjunct"
which has the actual passwords. But the catch is that to get to this
map, you have to connect to a NIS server from a secure port, which means
you have to be root on the machine. And before you write me and tell me
how horrible this is, let me say that with proper control over access
to subnets (no Windows on our trusted subnets for example), and
firewalling, this can be done with perfectly reasonble security.

Unfortunately, neither Tiger nor Leopard seemed to support this map. But
after reviewing Leopard source code, there was support there for a NIS
map named "shadow.byname". So I duplicated the secure NIS map passwd.adjunt
as shadow.byname (using the exact same format, just as a guess), and
Leopard picked it up immediately and used it.
Unfortunately Tiger also does not support this map. We will have to run
a temporary NIS domain only for Tiger systems, and work to upgrade all of
our Tiger systems to Leopard. We can live with this since it is only
temporary.